The ICO has issued guidance in relation to the collection of additional personal information as part of the process of providing a safe environment for staff during the Covid-19 pandemic. This guidance is to help organisations comply with data protection legislation under the principles of transparency, fairness and proportionality.
The ICO has set out six key data protection steps, which are as follows:
- Only collect and use what’s necessary – organisations should consider how collecting any additional personal information will help keep their workplace safe, do they really need the information, and whether any testing being considered will actually help to provide a safe environment.
- Keep it to a minimum – only collect information that is required to implement any additional measures, this includes information concerning Covid-19 symptoms or any related test results. Also, remember that some information only needs to be held for a short time and does not require a permanent record.
- Be clear, open and honest with staff about their data – organisations need to be clear as to how they will use employees’ personal information and exactly why they need it. They should also tell employees with whom they will share their information and for how long they intend to keep it. Ensure privacy notices are updated as soon as possible to reflect any the changes.
- Treat people fairly – employers should ensure that decisions about staff based on health information does not entail unlawful discrimination.
- Keep people’s information secure – any personal data held must be held securely and only for as long as is absolutely necessary.
- Enable staff to exercise their information rights – the ICO expects organisations to keep their employees informed about their personal data rights such as the right to rectification and the right of access.
Testing and information collection
If an organisation is considering putting testing arrangements in place, they should consider whether:
- Access to health information can be limited to medically qualified staff, those working under specific confidentiality agreements or those in appropriate positions of responsibility.
- There are reasonable alternative measures which do not rely on personal information, such as strict social distancing or working from home.
Employers will need to consider why they deem testing measures as being an appropriate way to keep the workplace safe and prove the effectiveness of these measures. The latest government advice about what tests are considered to be the most effective and reliable indicators that an employee may have contracted Covid-19 will need to be considered. Remember, implementing mandatory testing is not just a question of data protection but that there are considerations to be made around equality, health and safety and employment law.
The regularity of testing and checking employees and the subsequent processing of this data should be proportionate to the circumstances surrounding individuals.
If an organisation is providing testing for their employees, it must inform staff what personal information will be required, why it will be required and for how long it will be kept. Make sure employees are made aware of their data rights. It would be beneficial to allow employees to discuss any concerns surrounding the collection of the data with the employer.
Employers can maintain lists of those employees with symptoms and who have been tested as positive provided they comply with the applicable data protection principles. Employers must ensure that any lists do not result in any unfair or harmful treatment of employees. This could be the recording of inaccurate information or failing to acknowledge that an individual’s circumstances may change over time.
The ICO guidance indicates that employers should keep staff informed about potential or confirmed Covid-19 cases amongst their colleagues. However, they should avoid naming individuals and keep information to a minimum.
If surveillance systems are used to monitor employees’ compliance with health and safety measures or to assist with contact tracing, employees should be informed what is being done. Any notices issued to them should clearly inform employees about the nature and extent of surveillance and its purpose(s). There should be regular reviews of any surveillance taking place as there are concerns that sensitive aspects of employees’ behaviours and relationships could be revealed and employees have legitimate expectations that they can keep their personal lives private and are entitled to a certain degree of privacy whilst at work. Therefore, should it be deemed unnecessary to continue surveillance, it should be stopped.
It is abundantly clear that planning for employees return to the workplace following lockdown and the subsequent management of any ongoing health and safety issues presented by Covid-19 must take into account data protection and the requirements for attaining compliance.
Go here to access the ICO’s data protection and coronavirus information hub: https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/